> I wrote: > > What do you suggest? Perhaps a signed file containing the md5sums in > > /usr/doc/package? That is something developers could just start doing. > Rene Mayrhofer writes: > > Signed by whose key ? > The developer's, of course. The signature would go as another file in the `ar' archive, I think there's no doubt about that.